Create a Role
Click Users & Roles then View all roles.
Click Create a Role.
Set up the role
First, name the role - this needs to be a unique identifier that doesn’t include spaces or other characters.
Next, choose your options:
|Azure AD group (optional)||Enter your Azure AD group to apply the role to. Available only if AZURE AD is a default authentication provider.||Configure Azure AD roles|
|LDAP group (optional)||Choose which LDAP group to apply the role to. Available only if LDAP is a default authentication provider.||Configure LDAP roles|
Types of Role
There’s two basic types of Role you can create.
|Role Type||Description||See also|
|Cirro Permissions Role||Create role that includes a collection of child roles and/or cirro permissions||Cirro Permissions Role|
|Datasource keychain role||Create a role that grants access to databases and objects.||Datasource Keychain Role|
You can also mix and match child roles, permissions and credentials within the same role if required.
Cirro Permissions Role
A Cirro role can contain child roles which already exist on the server and a collection of Cirro permissions that enable the role to perform different functions.
- Toggle Grant Role to Role to view a list of all Roles your user has permissions to view.
Also available are Cirro’s built-in roles, created to speed the onboarding process. Each allows login to Cirro and a subset of Cirro permissions.
|secure_connect||secure_connect allows users to login to Cirro and execute SQL on single datasources.|
|federated_read_only||the federated_read_only role allows users to execute SQL queries on groups of datasources, but only as read-only.|
|federated_read_write||the federated_read_write role allows users to execute SQL queries on groups of datasources and write to these databases.|
|data_migrator||The data_migrator role is used for data management to manage and execute data copy projects.|
|cirro_admin||The administrator role that has all Cirro permissions to allow complete administration of the Cirro system.|
Tick roles then use the arrow keys to grant or revoke them.
Toggle Grantable so any user granted the parent role can grant the child role to other users.
Grant Cirro Permissions
Cirro permissions are required to access different Cirro functionality and are equivalent to specific Cirro SQL commands.
Select permissions then use the arrow keys to grant or revoke them.
Click NEXT then Finish to save.
Datasource Keychain Roles
A Database Keychain role grants access to Datasources and objects.
Click Next until the Database Credentials page opens.
The page contains all direct Database privileges the role has been granted, with the datasource and user name.
You can edit the credential login user or revoke the credential.
When you grant a credential, the database username and password restricts access to the data within. You can grant an additional level of security by defining object access.
Granting a credential is a two step process.
First, click to open the credential dialog.
Second, choose the Datasource, then enter the appropriate username and password. For example, for a DBA user, you’d use the DBA username.
Click Add Credential.
Once added, the new credential is added to the page. You can edit the username and password or delete them.
Define object access
To add an additional level of security, you can grant specific permissions at the schema, database, object and column level.
Click NEXT until the System Object Permissions page opens.
This is a three-step process.
First, click click to open the object picker.
Choose the system, database and object, then click the arrow keys to grant them.
Click OK when finished.
Second, tick each privilege (e.g., SELECT, DELETE, UPDATE) and use the arrow keys to grant or revoke.
Third, set an encryption key (if required).
Select the objects then click Encryption Keys.
Tick each key then use the arrow keys to grant or revoke.
Click OK when finished.
When you’re ready, click Finish to save the role.